In the physical world, individual persons are able to assess one another by sight, hearing and an accounting of physical attributes. Drivers' licenses, passports and other regulated documents provide verified accountings of attributes that permit individuals to validate who they are, or for others to validate who an individual says he or she is.
Fingerprints, retinal pattern, breath and DNA among other attributes are understood and recognized to be highly individualistic and are widely accepted and used to verify identity. But these attributes are physical and tied to a physical world.
Computers have become commonplace and highly integrated in nearly all aspects of modern life—transcending the bounds of professional and social spaces, computers are a prominent fixture in the workplace, in the home, as mobile devices and in many other places and arenas of daily life and modern existence.
Increasingly individuals are representing themselves in the cyber world of computer systems and computer networks, where digital information in the elemental form of binary data is entirely ignorant of physicality. A critical problem in cyberspace is knowing with whom you are dealing—in short, at the present time there is no precise way to determine the identity of a person in digital space. Friends, families, colleagues may use a common computer, share passwords, or even pretend to be people they are not. Sometimes these actions are benign—sometimes they are not.
As computers are often used in a commercial setting such as a business, organization or secured network (hereinafter “business”), there are often very legitimate desires by that business to know who is accessing their network. In addition, in many instances it is highly desired by a business or organization to not only know who is using their system, but also to control the type of equipment that is used with their system.
In many instances companies or other entities make use of digital certificates in an effort to gain control of who has access to what, when, and perhaps from where. In very simple terms, the digital certificate is somewhat like a key that can open the gate to secured resources.
Digital Certificates, also known as public key Certificates, are electronic documents that bind a digital signature (a mathematical schema for demonstrating authenticity) to a key, such as a public key, that is tied to an identity. A public key infrastructure (PKI) is a set of hardware, software, people, policies and/or procedures used to create, manage, distribute, use, store and revoke digital Certificates.
When referring to or working with Certificates, in many cases a PKI is implied. More simply put, digital Certificates are electronic documents that are offered to prove or verify the identity of User. Typically a Certificate is issued by a Certificate Authority (CA) that has performed or established some threshold of information to assert that the party to whom the Certificate is issued is indeed the party he or she reports to be. For a business or organization, the PKI is typically itself, or a third party entity that has been charged with providing digital Certificates to the employees.
Indeed, Certificates can and often do provide a great deal of simplicity in authenticating a User as the User has clearly established himself or herself in some way that is sufficient for a Certificate authority to provide the digital Certificate. Relying on a Certificate can ease a network's reliance on parties having previously established or contemporaneously establishing a local identity—a savings both in terms of time for the User and costs associated with the overhead and storage of the User identity for the local network.
Validation of the Certificate is traditionally accomplished by checking the Certificates against a Certificate Revocation List (“CRL”) provided by the issuing Certificate Authority. The Certificate Revocation List is typically a very long and batch provided document—which is to say that it is not generally updated in real time and contemporaneously available to Users. Those wishing to check the validity of Certificates must obtain the CRL at regular intervals and then review that entire list—if the serial number of a Certificate is not listed, then it is presumed valid. If the Certificates serial number is listed, then the Certificate has been revoked.
This batch processing is both time consuming and in some cases does not provide the speed, flexibility, tuneability, and/or adaptability of control that may truly be desired. Indeed changes may have occurred—such as termination, theft of equipment, or even simple vacation of the User—which might very well affect the conditional state of his or her Certificate, but which might not yet be reflected in the CRL.
In addition, in some cases revocation of a Certificate may be initiated and followed shortly thereafter by the re-issuing of a new Certificate to the same User. This back and forth with the Certificate Authority, removal of old Digital Certificates and installation of new Certificates at times being a frustrating and time consuming task that detracts from time that might otherwise be spent more productively on business matters.
Hence there is a need for a method and system that is capable of overcoming one or more of the above identified challenges.